AppGuard 4.x 32/64 Bit - Releases

Well, how might I tell AG is working without trialing "what if's".
About a year ago I ran AppGuard for a few weeks. Lots of Activity Report Events re Sandboxie and Firefox and Internet Explorer and stuff that I'd never seen with lots of Alerts and out of control tray Icon blinking.
So, I shelved AppGuard. Recently dusted off AppGuard and set her besides Sandboxie tray Icon. Almost no Activity Report Events with few Alerts and controlled tray Icon blinking. AG Customize looks same.
Trying to grasp what sparked crazed out of control AG from a year ago.
Yes, I'm sure all suggestions and comments are well intended. As are my questions.
I have five events ignored related to rescache.hit. rescache.hit = ?
And only time AppGuard speaks to me since dusted off is when I try to do legit.
AG since dusted off AG is akin to UAC. I want to do and AG asks are you sure. Yes, drop to Install.
As far as I know AG is working....but, all I see as evidence is need for Install.
Read and re-read ....sure, okay.
"When AG is either at Install or Off, it doesn't protect". That's as I imaged.
When I invoke unknown. I want Guard Dog. Not Ignore.
When I invoke known. I want Guard Dog to Ignore.
Thanks

 

Just an off-topic Peter. As a non-native anglophone that amazes me.

 

mmc.exe = in charge of Windows Services GUI and Windows Firewall GUI
net.exe (and to a lesser extent), sc.exe = in charge of Windows Services modifications via command line
netsh.exe (along with advfirewall firewall) = in charge of Windows Firewall Policy via command line

...slap the 32 and 64 versions into AG User Space and you have a strong grasp on keeping services and firewall intact. You will be required to set respective files to Include=No if you want to change service status or firewall rule status.

 

Answers to these questions already posted here: #3975

1) You don't have to (and shouldn't) run AppGuard in Install mode to test programs inside a sandbox that is in user-space. Install mode is for installing and updating software, not for running existing apps. You should use one of the ways mentioned in post #3975 instead.

2) You are applying AppGuard user-space launch restrictions to drive-by downloads in the sandbox. The reason you might choose to do this, rather than use Sandboxie start/run restrictions, is explained in post #3975.

EDIT #1: Just to make this absolutely clear, you don't have to include a sandbox in user-space if you don't want to. If the sandbox container folder is in the default location of c:\sandbox, all sandboxes within the container will be in system-space unless you include them in the user-space definition. If you ever relocate the sandbox container folder to a non-system volume or a RAM disk, it would automatically be in user-space and you would need to take steps if you wanted to exclude any sandboxes within the container from the user-space definition. Post #3975 explains how to do that.

The best solution with Sandboxie is to use multiple sandboxes and separate them according to use. Sandboxes used only for running existing apps work best in user-space; sandboxes used only for installing and testing new apps work best in system-space. Using multiple sandboxes, you get the best of both worlds. You can then configure each sandbox separately within AppGuard, irrespective of which volume the sandbox container folder is located on. All the information you need to do this is contained in post #3975.

The bottom line is that, when it comes to Sandboxie, nothing is cast in stone. Experimenting with AppGuard settings is also a good way of learning about how AppGuard works. The only caveat is that, when changing settings, always make a note of what you did so you can undo the change if something isn't working as expected.

EDIT #2: Below is a summary of the advantages and disadvantages of system-space and user-space sandboxes.

System-space Sandbox
What is meant here by a system-space sandbox is: either a system-space sandbox folder or a user-space sandbox folder that has been excluded from the user-space definition by listing it in the User Space tab and setting the Include flag to No. If a system-space folder then it will have been listed as an Exception Folder in the Guarded Apps tab to allow write access for guarded apps running sandboxed.

Advantages:

• Programs installed inside the sandbox for software testing are allowed to run without AppGuard user-space launch restriction.

Disadvantages:

• Drive-by downloads into the sandbox are allowed to run unless Sandboxie start/run restrictions are used to prevent it.
  
• If Sandboxie start/run restrictions are used, ALL programs to be run sandboxed must be whitelisted in Sandboxie.

System-space sandboxes work well for software testing due to the lack of AppGuard user-space launch restriction, but are less secure for sandboxing browsers where drive-by downloads might be a concern.

User-space Sandbox
What is meant here by a user-space sandbox is: either a user-space sandbox folder or a system-space sandbox folder that has been included in the user-space definition by listing it in the User Space tab and setting the Include flag to Yes. If a system-space folder then it will also have been listed as an Exception Folder in the Guarded Apps tab to allow write access for guarded apps running sandboxed.

Advantages:

• AppGuard user-space launch restriction prevents drive-by downloads into the sandbox from running.
• No need to use Sandboxie start/run restrictions, avoiding the need to whitelist in Sandboxie ALL programs to be run sandboxed.

Disadvantages:

• AppGuard user-space launch restriction must be disabled for programs installed inside the sandbox for software testing, either by listing them as guarded apps in the Guarded Apps tab or by temporarily allowing user-space launches from the tray icon right-click menu.

User-space sandboxes are more secure for sandboxing browsers where drive-by downloads might be a concern, but are inconvenient for software testing due to AppGuard user-space launch restriction.

 

I have noticed what seems like a bug?
I added c:\program files (x86)\hitmanpro.alert\hmpalert.exe to Power Applications.
But when check ing back, this is set to c:\program files\hitmanpro.alert\hmpalert.exe
And it happens for other (x86) .exes as well.
Anyone else have this?

 

had some reboots after adding HMPA or just check back few moments after?

 

No reboot. Can replicate this.
Add hmpalert.exe (x86), Apply, OK, minimize, reopen AG>Advanced tab, now it's c:\program files\hitmanpro.alert\hmpalert.exe

 

Sorry for the late reply. I have not been able to get on the computer for migraine headaches. They have been bad for the past couple weeks. It still will be a few more days before I can get on the computer much. I will look into this soon. Guarded applications are suppose to be able to launch in Locked Down Mode so that should be expected behavior. I'm not sure why it can't launch now without doing some testing. I will try it soon, and get back with you.

 

I reported this a long time ago, and I think I was informed it was a GUI bug that does not affect functionality. I'm not sure why it has not been fixed. I forgot all about it until seeing your post just now. I will remind Barb about it soon.

edited 01/05 @ 7:42

 

i got your issue too but after a reboot

 

I reported the problem again today. There should be a few different GUI bugs they are working on that I have reported. Also, I requested that AG remember the last path browsed when adding Powerapps, and adding something to the user-space. At the present time you have to browse back to the folder over, and over again.

 

Okay, so for testing/launch in sandbox (not Guarded Apps). I should toggle User Space c:\sandbox Yes to No in lieu of drop to Install.

 

Thanks. I had noticed that also.

 

That's correct. Only use Install mode when installing and updating software, never to run applications. Rather than toggling the Include flag in the User Space tab though, you might find it quicker to temporarily allow user space launches from the right-click tray icon menu.

 

Well, I'll be testing setup installer which may include updating and running. For example. I installed and ran scan with SpyHunter (crap) in my test sandbox.

 

Yes, you will need to use Install mode for that.

 

All a tester knows is that it happens on their specific system; they do not know if an issue can be reproduced on another system - specifically BRN's.

This is especially true for those testers that have only one system.

I suspect this is due to sysnative and\or Node6432; the way 32 bit files are handled by the OS\registry on 64 bit systems.

However, a definitive answer needs to come from BRN.

 

It has been a while when I have installed any program into a sandbox, but if I remember right when the include flag is no, you can install a program into a sandbox in Medium or might be even in Locked Down mode.

 

I've never tried it, but I think that should probably work. This is why I believe the most flexible approach is to use separate dedicated sandboxes for web browsing and for software testing, with run restriction settings as follows.

Sandboxes for running guarded apps should have run restriction applied. If the sandbox folder is in system space (i.e. on the system drive), it should be listed in the User Space tab with the Include flag set to Yes (if not using Sandboxie start/run restrictions). If the sandbox folder is in user space (i.e. on an additional drive or RAM disk), nothing needs to be done to add AppGuard run restriction.

Sandboxes for testing software should not have run restriction applied. If the sandbox folder is in user space, it should be listed in the User Space tab with the Include flag set to No (as you said). If the sandbox folder is in system space, nothing needs to be done to remove AppGuard run restriction.

In bjm_'s case, he is using a single sandbox (default location of c:\sandbox) for web browsing and software testing. He has the Include flag set to Yes, for extra security when web browsing, then lowers the protection level to Install when he wants to test software in the sandbox. At least, I think that's what he's doing.

As you say, changing the Include flag to No to install software might also work. If so, temporarily allowing user space launches unguarded from the tray icon to install software might also work. Again, I haven't tried this myself.

 

Your post pegr as always a good one. My post only for the reason of not needing set AppGuard to Install mode if having a sandbox set so.

Myself I am currently using just a defaultbox (have only the free version), and not needing because of AG to set any start/run restricions to it.
So of course the include flag is set to Yes. Just in case I wanted to test some software installed sandboxed that would be needed to have the flag no or as you told might work also allowing launches from the tray icon.

It is good as you did to remind users that the include flag should be set to Yes when running system installed guarded apps sandboxed to have also AG protection for us running a free non restricted sandbox.

 

I have separate sandboxes (default location of c:\sandbox).

 

+1

 

I've tested this now and here are the results I got. At the Medium protection level, software can be installed from:

• system-space folders that have not been added to the user-space definition with Include = Yes
• user-space folders that have been added to the user-space definition with Include = No

At the Locked Down protection level, software cannot be installed.